CipherCloud Discovers Senorita Streisand Effect Is A Hateful Mistress

from the doing-it-wrong dept

Companies using DMCA claims as censorship typically fall into one of two categories. Either the company thinks it's somehow losing money over posted content, or they are looking to silence crticism. This is a story about the latter and how the attempt Streisand-apulted (this should undoubtedly be a word) CipherCloud into an internet frenzy over how the company achieves the encryption they purport to do.

For the purposes of background, CipherCloud runs an online service for encrypting any data that is stored in other cloud-based services, such as public email systems or CRM. It's essentially a promise to make your cloud data private. As adoption of cloud-based services continues to progress, this would seemingly be a valuable service to use, assuming it works as well as they claim. The problem is that the company doesn't get into many specifics over how they achieve any of this, leaving it to internet forums like StackExchange and their users to try and figure it out. That particular string covers a technical but important question raised by a forum member last August.

Last August, when someone posted a question about CipherCloud’s service to StackExchange, a popular question and answer site for software developers. “How is CipherCloud doing homomorphic encryption?” the question read.

That’s a geeky question, but an honest one. CipherCloud’s service is designed to encrypt data stored in exiting online applications without hampering the way these applications operate, and that’s not an easy thing to do. If you encrypt a collection of data, for instance, you may have trouble searching that data. One solution is a technique called “homomorphic encryption,” which would let users manipulate encrypted data as if it wasn’t encrypted — and that’s what the question was getting at.

The question received several answers, with the consensus being that the service likely was not doing homomorphic encryption, since that's a technology that isn't really ready for wider use as of yet. Instead, forum users posted a CipherCloud white paper, a corporate promotional video, and a presentation from a security conference by the company to try to figure out exactly what CipherCloud's service was doing. Most of them settled on the idea that deterministic encryption was being done instead. That technique is generally considered a weak form of encryption. And there the post sat for months. And months. Mostly unnoticed.

Until, that is, CipherCloud decided to see how badly they could shoot themselves in their own feet.

On Saturday, the company sent a DMCA takedown notice and defamation complaint to StackExchange. With its letter, CipherCloud complained that StackExchange users violated its intellectual property in posting its marketing materials to the site and that defamed its operation in misrepresenting the way its technology works. The users guessed that CipherCloud used something called deterministic encryption, a relatively weak form of security. The company said this is not the case, pointing out that one of the posters, Sid Shetye, is the CEO of CipherDb, a company that competes with CipherCloud in some ways.

A couple things here. It's difficult to understand how a defamation case works when the forum posts made it clear they were simply speculating based on the marketing material at hand. That's not defamation. Secondly, the idea of sending a copyright takedown notice over marketing material may just be the most ridiculous thing I've ever heard. The entire point of marketing is to spread it as far and wide as possible. Using the DMCA notice this way makes it clear that this isn't about copyright at all, but rather about silencing criticism or, in this case, speculation (which is worse, by the way).

And, finally, it's fun to note that this move will ultimately fail in both the legal realm and in purpose. The EFF has already weighed in, stating that it's clear that use of the marketing material fell under Fair Use and that the defamation claim is laughably without merit.

“I don’t think there’s a court in the country that would hold [the posters] liable for defamation,” [Corynne McSherry of the EFF] says. And if CipherCloud did try to bring defamation charges against the users, she says, the company could be exposed to a potential counter suit under SLAPP laws, which are designed to prevent individuals or companies from using bogus lawsuits to silence critics.

Of course, this previously little-heard-of forum and the questions it posed have now been splashed all over Reddit, Slashdot, Hacker News, and now here. All over a meritless DMCA notice for a forum half a year old. Well done, CipherCloud.

Reader Comments

CipherCloud now dead man walking

CipherCloud is about to be in trouble as serious crypto geeks look over their stuff for weaknesses as a result of this publicity.

Truth is absolute defense in defamation, right? In order for Cipher to show they were defamed, they'd need to show they were using homomorphic encryption.

If they refuse to answer in detail how their crypto works, the (naturally quite paranoid) crypto community will take that as equivalent to admitting it is vulnerable, and no one serious will support or use it.

Cipher is effectively dead in any situation other than if their stuff works as designed and advertised with no vulnerabilities and they can actually prove it.

Re: Re:

StackExchange

previously little-heard-of forum

For the record, StackExchange is not a forum; it's a Q&A site. That may sound pedantic, but to those of us involved in the SE community it's an important distinction. It means you don't come in to have discussions; you're supposed to ask specific questions and provide authoritative answers, and if you try to act like you're on a forum, your posts are likely to get closed.

It's one of the biggest secrets behind SE's popularity, since it keeps the signal-to-noise ratio much higher than your average forum. It may have been little-heard-of four years ago, but today if you go Googling for technical questions, especially regarding programming, you're likely to find answers from StackOverflow (the premier site of the StackExchange network) on the first page, and frequently at the top of it.

Re: Re: Re: Re:

> "I don't think there's a court in the country
> that would hold [the posters] liable for defamation."

Not to mention, if CiperCloud did proceed with a suit for defamation, the defendants would be entitled to discovery to defend their case, truth being an ultimate defense to defamation. Which means CipherCloud would be ordered to open their code up to the defendants for inspection, which is the last thing I imagine they want to do.

Secondly, the idea of sending a copyright takedown notice over marketing material may just be the most ridiculous thing I've ever heard. The entire point of marketing is to spread it as far and wide as possible.

And yet companies will still issue a DMCA takedown notice if you post their TV commercials to YouTube...

What Defamation

The cryptographers are curious about the encryption method and based on the published information they concluded by consensus a particular method was likely being used. The best reaction is not to sue but to publish enough information about the cryptography methods to keep the crypto-spooks happy.

If I was researching the company and saw this Q&A I would likely read and research more about the techniques mentioned. My interest is not the details of the specific algorithm but what method(s) are they using and what the crypto-spooks think of it.

Re: Re: Re: CipherCloud now dead man walking

Re:

I forget the name now, but one of my earliest viewed examples of how Hollywood didn't have a clue about the internet was when they shut down a site dedicated to streaming movie trailers (late 90s, I think - I was still on dialup at that point).

That's right, a site is set up so that people can see all of their advertising with no cost to the studios. Trailers whose *entire purpose* is to make the people watching them want to go and watch the full movie, and they shut it down "because copyright"...

Re: StackExchange

Correction: CipherCloud does not offer a service

CipherCloud is not a service - they sell a software solution as a subscription. This is a relatively new security solution known as a Cloud Encryption Gateway. (Gartner includes this type of product in their Cloud Access Security Broker industry segment.) Many organizations are fearful of putting sensitive data in a cloud service that is out of their control, and some are prevented from doing so based on industry or government regulations. These solutions let organizations secure data via gateways they manage on site, or in a cloud solution managed separately from the SaaS application.

Full disclosure:
My company, PerspecSys, competes with CipherCloud and we actually created the first product in this space back in 2009. However, unlike CipherCloud, we have not written our own encryption - customers are free to use well-vetted solutions from Voltage, Oracle, RSA, and many others, in addition to random tokenization.

Re: Re: Re: Re: CipherCloud now dead man walking

All I know about cryto I learned from Security Now! from Twit.tv. My two big takeaways are never trust a security method that hasn't been pounded on by the experts and never trust a security regime that refuses to show you it's methodology.

Sounds like an attempt at security through obscurity which is rarely all that secure.

Re:

Re: Re:

That's right, a site is set up so that people can see all of their advertising with no cost to the studios. Trailers whose *entire purpose* is to make the people watching them want to go and watch the full movie, and they shut it down "because copyright"...

Exactly.

Quite a few years ago, I was browsing one of the adult newsgroups and one producer of adult material was posting censored copies of photos from his web site. I commented that by censoring them, it was much less likely that people would keep them, or repost them in the future. He practically blew a gasket and said that if anyone dared to repost the free, promotional photos that he was posting, he would sue that person.